Hi Brian,

 

The PSA_IOT_PROFILE_1 profile is actually deprecated and has been superseded by the PSA 2.0 profile. We intended to remove support for it last year, but were unable to do so due to incompatibility with the psa-arch test suite.

 

Strictly speaking, the iat-verifier should still accept tokens using the EAN-13 format, as noted here:
https://datatracker.ietf.org/doc/html/draft-tschofenig-rats-psa-token-24#name-backwards-compatibility-con

 

However, once the version incompatibility between TF-M and psa-arch is resolved, we will proceed with removing support for PSA_IOT_PROFILE_1.

 

Do you plan to migrate to the new profile? Do you have any concerns about the removal of support for PSA_IOT_PROFILE_1?

We shared this plan on the mailing list previously, but so far haven’t received any feedback.

 

Best regards,
Tamas

 

From: Quach, Brian via TF-M <tf-m@lists.trustedfirmware.org>
Sent: Monday, May 12, 2025 10:12 PM
To: tf-m@lists.trustedfirmware.org
Subject: [TF-M] PSA_IOT_PROFILE_1 attestation Certification Reference

 

Hi,

 

Per https://datatracker.ietf.org/doc/html/draft-tschofenig-rats-psa-token-07 (which is latest spec I can find for profile 1 token):

The Certification Reference claim is used to link the class of chip and PSA RoT of the attesting device to an associated entry in the PSA Certification database. It MUST be represented as a thirteen-digit [EAN-13].

Linking to the PSA Certification entry can still be achieved if this claim is not present in the token by making an association at a Verifier between the reference value and other token claim values - for example, the Implementation ID.

psa-certification-reference-type = text .regexp "[0-9]{13}"
 
psa-certification-reference = (
    ? psa-certification-reference-key =>
        psa-certification-reference-type
)
 

 

But in the tf-m-tools repo:

 

iat-verifier\iatverifier\psa_iot_profile1_token_claims.py it checks for PSA 2.0 profile HW version which is EAN-13 + 5.   

 

class HardwareVersionClaim(AttestationClaim):

    """Class representing a PSA Attestation Token Hardware version claim"""

    def verify(self, token_item):

        self._check_type('HARDWARE_VERSION', token_item.value, str)

 

        value_len = len(token_item.value)

        expected_len = 19 # 'EAN13-Version' 13 + 1 + 5. e.g.:0604565272829-10010

        if len(token_item.value) != expected_len:

            msg = 'Invalid HARDWARE_VERSION length; must be {} characters, found {} characters'

            self.verifier.error(msg.format(expected_len, value_len))

        for idx, character in enumerate(token_item.value):

            if character not in string.digits:

                if idx != 13 or character not in '-':

                    msg = 'Invalid character {} at position {}'

                    self.verifier.error(msg.format(character, idx+1))

 

It seems like this was changed 3yrs ago:

SHA-1: 8ac8d17d15353c7f7933ae8065646946ae47f993

 

* Fix HW Version claim expected length

 

www.psacertified.org issuing HW versions of format '[0-9]{13}-[0-9]{5}'.

It is called 'certification reference':

https://www.psacertified.org/certified-products/

 

Signed-off-by: Tamas Ban <tamas.ban@arm.com>

Change-Id: I0417e1ce76896f1128864676f29a4314b3fd1fb8

 

 

When I run “check_iat” script, I get these errors:

 

./scripts/check_iat -k public_key.pem -K -p -t PSA-IoT-Profile1-token cc27xx.cbor

ERROR:iat-verifiers:Invalid HARDWARE_VERSION length; must be 19 characters, found 13 characters

ERROR:iat-verifiers:Invalid character i at position 1

ERROR:iat-verifiers:Invalid character r at position 2

ERROR:iat-verifiers:Invalid character m at position 3

ERROR:iat-verifiers:Invalid character w at position 4

ERROR:iat-verifiers:Invalid character a at position 5

ERROR:iat-verifiers:Invalid character r at position 6

ERROR:iat-verifiers:Invalid character e at position 7

ERROR:iat-verifiers:Invalid character . at position 8

ERROR:iat-verifiers:Invalid character o at position 9

ERROR:iat-verifiers:Invalid character r at position 10

ERROR:iat-verifiers:Invalid character g at position 11

ERROR:iat-verifiers:Invalid character  at position 12

ERROR:iat-verifiers:Invalid character  at position 13

 

 

Is the verifier tool incorrect or should I be following “EAN13-Version' 13 + 1 + 5” even for profile 1 token?

 

 

Regards,

 

Brian Quach

SimpleLink MCU

Texas Instruments Inc.

12500 TI Blvd, MS F-4000

Dallas, TX 75243

214-479-4076